[j-nsp] solution to a firewall question

Vijesh Chandran vijesh at juniper.net
Thu Apr 23 20:24:29 EDT 2015


Is there a programming difference between 'firewall filter' and 'firewall family inet filter'? (ignore the v4 part of that)?

  afaik, family inet filter will skip all subsequent term if a packet matches first term. Is that not true for family filter?


-Vijesh


________________________________
From: Damien DeVille <damien.deville at gmail.com>
Sent: Thursday, April 23, 2015 5:17 PM
To: Vijesh Chandran
Cc: Olivier Benghozi; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] solution to a firewall question

Actually, my example is incorrect.  Filter f1 should read as follows:

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
        }
    }
}

When written this way, the second filter "f2" will be evaluated as part of the chain.  See http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195



- Damien

On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com<mailto:damien.deville at gmail.com>> wrote:
While I don't understand why you have the requirement that you can't use next-term (seems to be arbitrary), you can accomplish this the "input-list" option (https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html
)

Here is a sample configuration:

ddeville at testlab-rtr# show interfaces ge-0/0/0
unit 0 {
    family inet {
        filter {
            input-list [ f1 f2 ];
        }
        address 192.168.1.2/32<http://192.168.1.2/32>;
    }
}

ddeville at testlab-rtr# show firewall
filter f1 {
    term 1 {
        from {
            protocol tcp;
            destination-port 80;
        }
        then {
            count tcp_80;
            accept;
        }
    }
}
filter f2 {
    term 1 {
        from {
            dscp ef;
        }
        then {
            forwarding-class expedited-forwarding;
            accept;
        }
    }
}





- Damien

On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> wrote:
Hi Olivier,
 My bad that I didn't specify this in original mail...
Caveat here is that, next term shall be avoided as per requirement.
-Thanks,
 Vijesh


________________________________________
From: juniper-nsp <juniper-nsp-bounces at puck.nether.net<mailto:juniper-nsp-bounces at puck.nether.net>> on behalf of Olivier Benghozi <olivier.benghozi at wifirst.fr<mailto:olivier.benghozi at wifirst.fr>>
Sent: Thursday, April 23, 2015 11:39 AM
To: juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
Subject: Re: [j-nsp] solution to a firewall question

Replace accept with next term in f1 ?

next term works across filter list from what I see and according to the documentation ( http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html> ).


Olivier

> Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net<mailto:vijesh at juniper.net>> a écrit :
>
> Hi all,
>  I am wondering if we have a solution to this issue.
>  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
>  Input-list [f1 f2]
>  f1 to match a condition (all tcp port 80) and accept and count that packet.
>  f2 to classify those packets based on code points and push to a forwarding class. Is this possible?

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list